Cloud computing has been a hot topic among federal CIOs and their staffers in recent years.
In response to the Obama Administration’s “Cloud First Initiative” announced in 2011, the US government has significantly reduced the number of applications hosted in government-owned data centers.
The initiative requires government entities to move some of their services (e.g., e-mail) to the cloud, while also ensuring security and proper management of data stored in the cloud.
In 2016, a number of government agencies in California started migrating to the Microsoft cloud.
But as organizations worldwide move more and more of their sensitive information to the cloud, hackers are adapting and seeking new ways to compromise cloud environments.
This problem is particularly acute for government agencies, since hacking of the highly sensitive data they store could imperil national security as well as citizens’ trust. This has been borne out by headline-making breaches at the Office of Personnel Management (OPM), the National Security Agency (NSA), the Philippine Commission on Elections, the US Navy, and other agencies in the last few years.
However, the cost and flexibility advantages of cloud computing are such that federal and local governments continue to push cloud-based initiatives forward.
At the end of last year, Netwrix carried out research to gain deeper insight into organizations’ concerns regarding cloud security and the methods used to ensure data protection in the cloud. More than 600 organizations from multiple industries, including government, were interviewed. This data was analyzed to produce the 2016 Cloud Security Report, highlighting trends and shifts in perceptions of and experience with the technology.
Here are some important takeaways for federal and local governments.
CLOUD MIGRATION FEARS AND CONCERNS
Up to 87 percent of government entities in the US are afraid to move their critical assets to the cloud due to security and privacy concerns.
The major barriers that keep CIOs of state and local governments from a broader adoption of cloud technology are unauthorized access and account hijacking (80 percent), fear of losing control over data (60 percent), and issues associated with data backup and recovery (53 percent).
In short, although cloud providers try hard to secure cloud environments, they haven’t managed to completely persuade the IT community that they can provide the necessary controls to ensure security and prove regulatory compliance.
Indeed, 40 percent of respondents were afraid that they would not be able to enforce all of the required security policies on a cloud provider’s site.
Even more organizations (80 percent) are worried about their own user activity in the cloud, stating that employees with legitimate access to critical systems pose a bigger threat to data integrity than anyone else.
BENEFITS OF MOVING TO THE CLOUD
Despite the common fears, broad cloud adoption is already positively impacting IT security for government agencies that have adopted it.
Almost 50 percent of government agencies said that the cloud has improved the security of their systems and data—and no one stated that their cybersecurity worsened due to cloud adoption.
Cloud computing offers government agencies a powerful instrument to improve risk management, deliver more timely services and significantly reduce burdens on internal IT resources.
According to the survey results, the key benefit that governments have realized through cloud adoption is higher availability of systems (70 percent), followed by flexibility in resource utilization (50 percent), and cost savings (40 percent).
KEYS TO ENSURING CLOUD DATA PROTECTION
No matter what security mechanisms an organization has in place, there will always be risk of malicious activity by insiders or external hackers.
Asked if they would welcome greater visibility into user activity in the cloud, the vast majority of government agencies (93 percent) agreed it is a critical component for security and business integrity.
Without a clear understanding of what’s going on in their IT environments, organizations cannot keep sensitive data under control or be confident about utilizing powerful cloud technologies.
In summary, the vast majority of federal agencies and government departments are pushing ahead with cloud-based initiatives, despite major reservations concerning security aspects moving critical assets to the cloud.
Attitudes will only change when there is greater visibility into user activity supported by tools to help them mitigate cloud data leakage risks. Such tools should include security policy validation, better user accountability, and early notification of internal and external threats.